New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decoder key export fixes #21519
Decoder key export fixes #21519
Conversation
This is already correct in the rsa_kmgmt.c but other implementations are wrong.
I'll add testcases next. |
When decoding 0 as the selection means to decode anything you get. However when exporting and then importing the key data 0 as selection is not meaningful. So we set it to OSSL_KEYMGMT_SELECT_ALL to make the export/import function export/import everything that we have decoded. Fixes openssl#21493
007da86
to
9c057ed
Compare
master branchI tested this PR with my reproducer, the x25519 public key PEM file, and the OpenSSL on the current latest master branch 06a0d40 plus the commits in this PR. And I can see the encoded and decoded text is same with the original one! master branch plus this PR's commitsThe encoded and decode text is same with the original one. It's okay.
master branch (without this PR's commits)And the encoded and decoded text is different from the original one on the current master branch 06a0d40 without this PR's commits. This is the expected behavior. I checked it just in case.
|
I tested this PR on the lastet openssl-3.1 and openssl-3.1 branches too. It looks good to me! openssl-3.1 branch plus this PR's commits
openssl-3.0 branch plus this PR's commitsI tested both x25519 and ed25519 cases.
crypto: x25519
crypto: ed25519
|
@paulidale please reconfirm |
@paulidale - please reconfirm |
This pull request is ready to merge |
This is already correct in the rsa_kmgmt.c but other implementations are wrong. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #21519)
When decoding 0 as the selection means to decode anything you get. However when exporting and then importing the key data 0 as selection is not meaningful. So we set it to OSSL_KEYMGMT_SELECT_ALL to make the export/import function export/import everything that we have decoded. Fixes #21493 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #21519)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #21519)
When decoding 0 as the selection means to decode anything you get. However when exporting and then importing the key data 0 as selection is not meaningful. So we set it to OSSL_KEYMGMT_SELECT_ALL to make the export/import function export/import everything that we have decoded. Fixes #21493 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #21519) (cherry picked from commit 2acb0d3)
Merged to |
This is already correct in the rsa_kmgmt.c but other implementations are wrong. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #21519) (cherry picked from commit 1ae4678) (cherry picked from commit 8865d7c)
When decoding 0 as the selection means to decode anything you get. However when exporting and then importing the key data 0 as selection is not meaningful. So we set it to OSSL_KEYMGMT_SELECT_ALL to make the export/import function export/import everything that we have decoded. Fixes #21493 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #21519) (cherry picked from commit 2acb0d3) (cherry picked from commit 137ba05)
Thank you! |
I just put the note that this PR's commits were merged as 3 commits to master, openssl-3.1 and openssl-3.0 branches for someone who is interested in it. |
Actually, from
So, the selection 0 means "get me whatever you can", and leaves it to the application to discover (through probing) what it actually got. |
Yes, it is meaningful for OSSL_DECODER_CTX_new_for_pkey() but not for (at least in the current implementation of providers) for keymgmt import and export functions. |
This is already correct in the rsa_kmgmt.c but other implementations are wrong. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl#21519) (cherry picked from commit 1ae4678) (cherry picked from commit 8865d7c)
When decoding 0 as the selection means to decode anything you get. However when exporting and then importing the key data 0 as selection is not meaningful. So we set it to OSSL_KEYMGMT_SELECT_ALL to make the export/import function export/import everything that we have decoded. Fixes openssl#21493 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl#21519) (cherry picked from commit 2acb0d3) (cherry picked from commit 137ba05)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl#21519) (cherry picked from commit 4c50610) (cherry picked from commit 42f32b4)
This corrects two serious problems - one in decoders where we try to export/import things with 0 selection which is not meaningful and the second in the actual keymgmt export functions which instead of failing on such export call, they produce bogus (empty) keys.
Fixes #21493